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l. INTRODUCTION 


The Centre for Information Policy Leadership (CIPL)* welcomes the opportunity to comment on the 
European Data Protection Board (EDPB) draft Guidelines 9/2020 on relevant and reasoned objection 
under Regulation 2016/679 (the Guidelines). 


The purpose of the Guidelines is to: 


e Provide guidance to Supervisory Authorities (SAs) and others on the concept of a “relevant 
and reasoned objection”; 


e Establish a common understanding of the terms “relevant and reasoned”; and 


e Provide guidance on what should be considered when assessing whether an objection “clearly 
demonstrates the significant of the risks posed by a draft decision as regards the fundamental 
rights and freedoms of data subjects and, where applicable, the free flow of personal data 


within the Union” ?. 


The Guidelines refer to the relationship between SAs before the issue of a draft decision and note that 
a dispute as to the identity of the Lead Supervisory Authority (LSA) cannot give rise to a relevant and 
reasoned objection. 


CIPL welcomes this guidance. CIPL considers an effective cooperation and consistency mechanism to 
be crucial to effective, proportionate pan-EU regulation. The system of cooperation and consistency 
established by the General Data Protection Regulation (GDPR) (generally referred to as the One Stop 
Shop (OSS)) is a novel development. CIPL values the role of OSS in the delivery of effective, consistent, 
transparent and proportionate regulation. The enforcement of the GDPR must be perceived to be fair 
and effective by data subjects, controllers and processors. CIPL supports the aim of the EDPB to 
achieve flexible, timely and responsive oversight. It considers the Guidelines will help streamline and 
clarify the process of decision-making through the OSS, thus supporting robust decision-making in 
regulatory action on matters of cross-border processing 


CIPL agrees that the identity of a LSA with responsibility for the supervision of a particular controller 
or processor is not a matter to be raised under Article 60. If such objections are raised, the proper 
forum appears to be under Article 64(2). Any such objection can then be determined by the EDPB 


t CIPL is a global data privacy and cybersecurity think tank in the law firm of Hunton Andrews Kurth LLP and is 
financially supported by the law firm and over 85 member companies that are leaders in key sectors of the 
global economy. CIPL’s mission is to engage in thought leadership and develop best practices that ensure both 
effective privacy protections and the responsible use of personal information in the modern information age. 
CIPL’s work facilitates constructive engagement between business leaders, privacy and security professionals, 
regulators and policymakers around the world. For more information, please see CIPL’s website at 
http://www.informationpolicycentre.com/. Nothing in this submission should be construed as representing 
the views of any individual CIPL member company or of the law firm of Hunton Andrews Kurth. 

2 Article 4(24) of the GDPR. 
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under Art. 65(1)(b). The identity of the LSA should be clear before any actions leading to a draft 
decision under Article 60 are commenced. 


CIPL members appreciate the commitment to transparency demonstrated by the EDPB in publishing 
the draft Guidelines. It is helpful for controllers and processors to have insight into the practicalities 
of the decision-making process followed by the SAs and the EDPB. 


The EDPB has not yet issued decisions in any cases where relevant and reasoned objections have been 
lodged. As experience in handling actual cases is gained, CIPL anticipates that lessons will be learned 
by all parties. We recommend that the Guidelines be kept under review as experience is gained in this 
area. 


While CIPL welcomes the Guidelines, we have a number of concerns and submit that, in order to 
ensure a responsive and effective oversight mechanism, the Guidelines should clarify or address a 
number of additional points. 


lI. SUMMARY OF CIPL COMMENTS 


1. The Guidelines do not sufficiently address the obligation on the LSA to produce a properly 
structured draft decision for the consideration of Concerned Supervisory Authorities (CSAs). The 
draft decision must be sufficiently detailed, considered and supported by evidence to allow CSAs 
to assess whether relevant and reasoned objections are appropriate. 


2. The Guidelines focus on the investigative process and exchange of information prior to the draft 
decision. It should be made clear that a relevant and reasoned objection can only be made to the 
draft decision. 


3. It would be helpful to recall more prominently in the Guidelines that the lodging of a relevant and 
reasoned objection should never be a routine or regular matter. Routine objections could de-rail 
the timeframe for effective decision-making and engage significant resource from the EDPB 
thereby slowing down the regulatory process. 


4. The Guidelines should recall that the threshold for lodging relevant and reasoned objections is a 
high one. Such objections should only be lodged in serious cases, where there are real risks to 
data subjects or the free flow of data occasioned by the draft decision. They should not be lodged 
simply because a CSA would have come to a different decision. 


5. The Guidelines should clarify that objections must be confined to the parameters of the decision 
being considered. If a CSA considers that other matters should be investigated or other 
complaints considered that is not a matter for an objection to a specific decision. 


6. Controllers and processors subject to enforcement proceedings or penalties that have been 
imposed following the consideration of relevant and reasoned objections may seek discovery and 
disclosure of such material in order to bring appeals. It is therefore important that these 
guidelines stress the independence of the LSA under national administrative law. 


7. It should be acknowledged that in nearly every case of cross-border processing an enforcement 
or penalty decision will have a potential impact on the free flow of data. Hence it is likely that it 
should be considered in all cases. 


8. The risks to individual rights and freedoms and the risks to the free flow of data must be given 
equal weight. 
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9. The Guidelines could focus more on the fact that the work of investigation and the process to 
reach a draft decision and enforcement are matters governed by Member State laws and 
procedural rules. Due weight and respect must be accorded to these factors. 


10. A relevant and reasoned objection must relate to the decision itself and not the associated 
procedure unless the failure to follow proper procedures has wholly undermined the validity of 
the draft decision. 


III. CIPL COMMENTS 


1. The Guidelines do not address the obligation on the LSA to produce a properly structured draft 
decision for the consideration of CSAs. The draft decision should be sufficiently detailed, 
considered and supported by evidence to allow CSAs to assess whether relevant and reasoned 
objections are appropriate. 


CIPL agrees that in lodging an objection the CSA must, as set out in paragraph 21, provide all the 
information, facts, documents and legal arguments on which it relies to effectively present the case. 
It notes, however, that the Guidelines do not explicitly state this to be required of the LSA in presenting 
a draft decision. CIPL submits that it should be explicit that a draft decision must meet properly 
rigorous standards to enable CSAs to make informed decisions as to whether an objection is justifiable. 
The Guidelines should make clear that draft decisions must provide CSAs with all information required 
to decide whether an objection is justified and appropriate. The EDPB’s tasks in relation to the 
consistency procedure are sufficiently widely phrased to cover such guidance’. CIPL suggests that the 
material included in paragraphs 18, 19, 21 and 26 as guidance to CSAs on the obligations to provide 
clear reasoning and a sound evidential basis and all relevant information could usefully be re-worked 
to emphasise that these are requirements of the draft decision. CIPL appreciates this is implicit but 
suggests it should be made explicit that the same standards apply to the draft decision and to any 
objections. 


2. The Guidelines overly focus on the investigative process and exchange of information prior to 
the draft decision. It should be clear that a relevant and reasoned objection can only be lodged 
in relation to a draft decision. 


The GDPR sets out extensive provisions governing how SAs should work together. Chapter VII provides 
for mutual assistance’ and joint operations between SAs°. Where SAs are concerned and there has 
been a failure to comply with these obligations, Article 64(2) provides for a reference to the EDPB that 
can be adjudicated under Article 64(3). 


The obligations to consider complaints and to conduct investigations are subject to the competence 
of national SAs as set out in Section 2 of Chapter VI of the GDPR. Investigations are the province of 
national SAs under Article 57(1)(h). Such investigations must be carried out under national provisions. 
The obligation to cooperate with other SAs, including sharing information and providing mutual 
assistance with a view to ensuring the consistency of application and enforcement of the GDPR, under 
Article 57(1)(g), does not equate to an obligation to engage other SAs throughout the course of an 
investigation, as appears to be suggested in paragraphs 1, 8 and 9 of the Guidelines. The process for 
involving other SAs in investigations is clearly set out in and regulated by Articles 61 and 62 as 


3 Article 70(1)(e) of the GDPR. 
4 Article 61 of the GDPR. 
5 Article 62 of the GDPR. 
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explained above. CIPL wholly supports proper cooperation and appropriate exchanges of information 
between SAs. However, we note that a clear distinction has been made in the GDPR between 
cooperation in the investigative process and cooperation in the consistency process. 


CIPL submits that the following statement in paragraph 1 does not accurately describe the legal 
obligations on SAs under Chapter VII of the GDPR: “This duty of cooperation applies to every stage of 
the procedure, starting with the inception of the case and extending to the whole decision-making 
process”. On a practical basis, in many cross-border cases several SAs may be CSAs. It would be 
impractical for multiple CSAs to seek to take part in directing complaints and investigations. 


Under the GDPR, every SA must act independently in making decisions on the conduct of 
investigations, the collection of relevant evidence and assessment of the matters within its statutory 
remit. The independence of SAs has been emphasised by the CJEU®. It is also stated clearly in Art. 
51(1). The independence of SAs would be undermined if other SAs were to be intimately concerned 
with the conduct of investigations, outside the statutory scheme as set out in Articles 61 and 62. There 
is significant risk that, if this element of the Guidelines is applied, a LSA could be accused of failing to 
conduct independent investigations. A LSA that took guidance from, or followed the instructions of, 
other SAs in the conduct of investigations or decisions on which complaints to pursue would leave 
themselves open to serious challenge to subsequent enforcement decisions, potentially undermining 
the central aim of effective enforcement. 


The GDPR sets out a process by which SAs work together and share information under Articles 61 and 
62. The obligations of cooperation and consistency in Article 60 are wholly different from the process 
for the exchange of information during the course of an investigation or joint working. Under Article 
60, the parties must exchange all mutual information needed to reach a consistent decision. This duty 
arises at the conclusion of a proper investigation. It is not a duty that arises during an investigation. 
CIPL considers that the following statement in paragraph 8 is misconceived as it conflates the 
obligation on the LSA to provide a proper draft decision, supported by appropriate evidence, with the 
investigative process before the draft decision: “The degree of involvement of a CSA in the process 
leading to the draft decision, if it leads to an insufficient knowledge of all the aspects of the case, can 
therefore be considered as an element to determine the degree of detail of the relevant and reasoned 
objection in a more flexible way”. 


At the conclusion of the investigation, the LSA must provide a full and clear statement of the matters 
in the draft decision. It is at this point that the obligation to exchange all relevant information about 
the draft decision arises, not during the process of the investigation. This mistake can also be seen in 
paragraph 36, which suggests that a draft decision that is insufficiently detailed in factual explanation 
could be remedied by the existence of a “previous exchange of information”. \f this were the case, the 
relevant SAs could reach a formal enforcement decision on relevant information that was not included 
in the draft decision. It is highly likely that draft decisions, as with the final decisions, will be disclosed 
to controllers, processors and concerned data subjects. As a matter of equity and proper procedure, 
the decision must therefore include all relevant material. This will also be important if the matter is 
subsequently referred to the EDPB. The LSA and CSAs cannot properly reach a decision on the basis of 
information exchanged between themselves and not represented in the decision itself. 


CIPL recognises that ongoing cooperation and liaison during an investigation may be appropriate in 
many cross border cases. The decision to engage in such cooperation and liaison rests with the LSA, 
which has the duty to conduct the investigation. This is equivalent to the position of national police 


ê Case C-518/07, European Commission v Federal Republic of Germany. 


4 


CIPL 


Centre for Information Policy Leadership 
HUNTON ANDREWS KURTH 








forces. In cases of cross-border crime, one national force may seek assistance and support from 
another national force but remain responsible for the investigation. CIPL therefore submits that the 
statement in paragraph 9 that the EDPB states that a relevant and reasoned objection can be used to 
raise objections to “insufficient degree of cooperation in the preceding stages of the OSS proceedings” 
is mistaken. 


CIPL would reiterate that the OSS proceedings under the cooperation and consistency mechanism in 
Chapter VII of the GDPR do apply until the draft decision has been submitted. Cooperation in 
investigations falls under Chapter VI, which covers the role of the independent supervisory authorities. 


CIPL concludes that the focus of the Guidelines on the process of investigation could create legal 
ambiguity with respect to the proper role of the EDPB in national proceedings. The process of an 
investigation is a matter for LSAs under their national powers and procedural rules. Under Article 60, 
CSAs are properly concerned with the outcome of that process and the draft decision. 


CIPL suggests that the Guidelines could helpfully give a strong message in relation to the importance 
of the draft decision setting out a full statement of the case and evidential basis, as proposed in point 
1 of the submission, rather than the work on the LSA that receded the draft decision. 


3. The Guidelines should clarify that the threshold for lodging relevant and reasoned decisions is a 
high one. Such objections should only be lodged in serious cases where there are real risks to 
data subjects and the free flow of data occasioned by the draft decision. They should not be 
lodged simply because a CSA would have come to a different decision. 


CIPL endorses the statement at paragraph 37 that a CSA will have to show that risks to the rights and 
freedoms of data subjects and the free flow of data must be shown to be substantial and plausible 
when lodging an objection. 


Given the different histories and cultures of jurisdictions in the EEA, different approaches to 
enforcement are inevitable. The cooperation and consistency mechanism in the GDPR recognises that 
different SAs will reach different positions on enforcement decisions. As such, it implicitly creates a 
“margin of appreciation” in respect of enforcement decisions, which is a recognition that SAs from 
different Member States will weigh matters in different ways resulting in a range of possible decisions 
in individual cases. It provides a formal process for the resolution of differences where there are 
serious, fundamental, well-founded differences of view as to the risks to data subjects and the free 
flow of data arising from a proposed decision. The Guidelines should emphasise that the most 
important aspect of any objection will be consideration of the impact of the draft decision on the risks 
to the fundamental rights and freedoms of data subjects and the free flow of data. Objections can 
therefore only be justified where the draft decision would pose a significant risk to those interests. 
CIPL would recommend a re-structuring of the Guidelines to place this aspect before the analysis of 
what constitutes a relevant and reasoned objection. It is the pre-condition for lodging a relevant and 
reasoned objection. 


In this regard we suggest a re-wording of paragraph 42 to make clear that in assessing whether a draft 
decision to act or decision not to act is “appropriate, necessary and proportionate”, it should be 
clarified that CSAs must respect the decisions of LSAs within a reasonable margin of appreciation. The 
fact that one SA would have taken a different view would not be in itself grounds to assert that a 
specific decision is not appropriate or proportionate. 
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4. The Guidelines should clarify that objections must be confined to the parameters of the decision 
being considered. If a CSA considers that other matters should have been investigated or other 
complaints considered, that is not a matter for an objection to a specific decision. 











CIPL is particularly concerned at the following statement made in paragraph 20: “In cases where the 
objection is based on the opinion that the LSA failed to fully investigate an important fact in the case 
or an additional violation of the GDPR it would be sufficient for the CSA to present such arguments in 
a conclusive and substantiated manner”. 


This conflates two wholly different circumstances. In a case where a CSA has good reason to be 
concerned that a draft decision relies on an inadequate evidential basis, CIPL wholly concurs that a 
relevant and reasoned objection could be justified, as long as the other tests in relation to risk were 
met. However, in a case where the CSA considers there are other violations of the GDPR, such 
perceived lacunae should properly be addressed by referring the additional violations to the LSA, with 
a request to consider those matters and conduct investigations as appropriate. A relevant and 
reasoned objection can only be made to the contents of a draft decision, not to some other matter 
that is not the subject of the draft decision. 


The same approach appears in paragraph 28, which appears to suggest that a relevant and reasoned 
objection could be employed as a mechanism by which one SA can use it to dispute decisions made 
by another SA on the proper conduct of an investigation or handling of a complaint referred. The use 
of a relevant and reasoned objection for this purpose is wholly out-with the scope of Article 60. 


CIPL cautions that the use of the formal process under Article 60 to address differences of views about 
the nature of complaints or the conduct of investigations would be likely to lead to serious legal 
challenges, as well as disrupting the decision-making process. CIPL recognises that SAs will take 
different views on how complaints should be handled or investigations conducted, however, the use 
of the Article 60 mechanism is not the proper way to address such differences. 


5. There should be more focus on the fact that the lodging of a relevant and reasoned objection 
should never be a routine or regular matter. If this were to be the case, the aim of effective and 
timely regulation would be undermined. Routine objections could de-rail the timeframe for 
effective decision-making and engage significant resource from the EDPB, thereby slowing down 
the regulatory process. If such objections became commonplace, there would be a serious risk 
that the public perception of SAs would be negatively affected. They could be perceived as 


looking inward, focusing on technical matters rather than addressing the serious issues of 
enforcement. 


Controllers and processors facing enforcement by LSAs in cases that involve CSAs will generally be 
large organisations whose activities affect significant numbers of data subjects. The more complex a 
regulatory process, the more parties involved, the longer cases will take to resolve. As uses of personal 
data become ever more complex, clear and decisive action by regulators will be essential to safeguard 
the rights of data subjects. Regulators must aim to achieve such decisions within a timescale that 
provides appropriate outcomes for data subjects as well as certainty for controllers and processors. 
CIPL understands that, in complex cases, thorough investigation and assessment of all the relevant 
issues will take time. If CSAs’ objections were to become a general practice, the impact on the 
timescales for reaching decisions would be significant. 


CIPL recognises that the OSS is an immature and untested mechanism, yet one that is intrinsically 
linked to the spirit of the GDPR to remove administrative barriers and put in place a single and 
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coherent set of rules and regulatory practices for the EU. For the OSS to succeed, there must be an 
increase in mutual trust and understanding between SAs from different regulatory cultures. CIPL does 
not underestimate the challenges faced by the EDPB in fostering this change. CIPL appreciates the 
excellent work that has been carried out so far. We believe, however, that this has to be carried 
further. From a policy perspective and taking into account the GDPR’s objectives, the Guidelines 
should clearly assert that the threshold for lodging a relevant and reasoned objection is set at high 
level, as an exception, rather than a rule and only for the most serious cases that fulfil the stated 
criteria. 


6. Controllers and processors subject to enforcement proceedings or penalties that have engaged 
the consideration of relevant and reasoned objections will seek discovery and disclosure of such 
material in order to bring appeals. This raises the risk of multiple court actions arising, 
potentially undermining the aims of effective regulation. 


As noted in point 5 above, controllers and processors facing cross border enforcement are likely to be 
large organisations. As such, they are likely to be well-funded and able to call on significant legal 
resource. Every element of the process of making enforcement or penalty decisions is likely to be 
minutely scrutinised. LSAs and CSAs will need to evidence robust procedures throughout the 
consistency process. Failure to do so is likely to offer grounds for legal challenges. Where an 
enforcement decision is made in a case in which relevant and reasoned objections have been made, 
it is likely that access to these materials will be sought as relevant to any appeal proceedings. If a 
decision is made not to take action against a controller or processor in cases in which there have been 
complaints, it is equally possible that complainants will seek access to material. 


The process of objection will delay decision-making, potentially bring in additional satellite litigation 
and involve significant work by the EDPB to resolve matters. It is therefore imperative that objections 
are not lodged other than in serious and significant cases. 


7. It should be acknowledged that in nearly every case, a cross-border enforcement or penalty 


decision will have a potential impact on the free flow of data. Hence, it is likely that it should be 
considered in all cases. 


CIPL concurs with the Guidelines at paragraph 40 that the free flow of data within the Union is to be 
weighted “where applicable”. However, it should be recognised explicitly in the Guidelines that this is 
likely to be the case in all cross-border enforcement. Accordingly, SAs should always consider whether 
it is applicable and record that consideration. 


8. The risks to individual rights and freedoms and the risks to the free flow of data must be given 
equal weight. 


It should be made clear in the Guidelines that, where the free flow of data within the Union is 
considered, risk to the free flow of data must be given equal weight to any risks to the rights and 
freedoms of data subjects. 


9. The Guidelines should expressly recognise that the work of investigation, process to reach a 
draft decision and enforcement powers are matters governed by Member State laws and 
procedural rules. Due weight and respect must be accorded to these factors. 


Article 57(1)(a) of the GDPR provides that SAs shall, on the territory of their Member State, monitor 
and enforce the application of the GDPR. The corrective powers of SAs under Article 58(2) include 
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powers to issue reprimands and mandatory orders. The manner in which the powers can be exercised 
can be set out in national law. Legislators may have adopted different formulations. As an example, 
the UK Data Protection Act 2018 provides that the UK SA, the Information Commissioner, may issue 
an enforcement notice where satisfied that a person has failed or is failing to comply with the specified 
provisions’. The Information Commissioner may issue a penalty notice (a financial penalty) where a 
person has failed or is failing with specified provisions®. The Information Commissioner cannot issue 
an enforcement notice or impose a penalty in respect of a potential future breach. Accordingly, the 
suggestion at paragraph 43 of the Guidelines that a decision could seek to penalise a controller in 
relation to a potential future breach would not be permissible under UK law. 


Any draft decision presented by a LSA must comply with the national law applicable to the LSA. Any 
notice or penalty imposed will take effect under that law and must be in accord with, and enforceable 
under, that law. The process of lodging relevant and reasoned objections must respect national 
provisions under which SAs operate. An objection cannot be relevant if accepting the objection would 
lead to a breach of national provisions by the LSA. CIPL would urge the EDPB to make clear in its 
Guidelines that the parameters of national laws must be respected. 


10. A relevant and reasoned objection must relate to the decision itself and not the associated 


procedure unless the failure to follow proper procedures has wholly undermined the validity of 
the draft decision. 


The Guidelines state at paragraph 30 that a failure by a LSA to have regard to procedural requirements 
may give rise to a relevant and reasoned objection. The example provided is of a LSA that fails to take 
“utmost account” of a proposed draft notice from the CSA that had referred a matter of complaint. 
CIPL’s view is that an objection in such a case could only properly be made if the failure to take utmost 
account of the views of the CSA resulted in a defective notice and the objection met the relevant tests 
in relation to risks to the fundamental rights and freedoms of data subjects and the free flow of data. 
Failure to follow the due process should not be sufficient grounds for an objection unless the draft 
decision is significantly impaired by the failure. 


CIPL would assume that the starting presumption is that a LSA has acted properly in weighing the 
objection of a CSA. The burden of showing that a LSA has failed to take utmost account of a submission 
by a CSA should rest with the CSA. 


IV. CONCLUSION 


In conclusion CIPL welcomes and supports the introduction of the Guidelines, subject to the comments 
and submissions made herein. 


If you would like to discuss any of the comments in this paper or require additional information, please 


contact Bojana Bellamy, bbellamy@huntonAK.com; Rosemary Jay, Riay@HuntonAK.com; or Nathalie 
Laneret, nlaneret@HuntonAK.com. 


7 Data Protection Act 2018 s.149(1). 
8 Ibid s.155(1). 


